Cybersecurity laws spread

National Conference of State Legislatures

At least 34 states are considering bills or have enacted laws on security for computers and networks, according to a new report.

Since fall 2001, at least 24 states have introduced bills and 10 states have passed laws addressing information security, said a report released Tuesday by the National Conference of State Legislatures (NCSL). Among the states with new statutes: Florida, Michigan, California, Illinois, Kansas, Nevada, South Carolina, Tennessee, Texas and Virginia.

For example, Florida now allows police to investigate attacks on protected computers owned by financial institutions and government agencies. Until Jan. 1, 2006, California's legislature can hold closed sessions on potential threats of terrorist activity against state-owned personnel and property, including electronic data. Michigan imposed penalties against people who use the Internet or telecommunications systems or devices to disrupt critical infrastructure or government operations.

The Task Force on Protecting Democracy released the report during the legislature association's annual conference this week in San Francisco. Massachusetts state Sen. Richard Moore, co-chairman of the task force, said recent attention has gone to improving information system security across state governments because legislators understand that critical services, such as water facilities and transportation, rely on computers more than ever.

The legislatures' group is working with representatives from Fortune 300 companies, to ensure that states don't develop a hodgepodge of security policies and systems that would hinder economic development.

Better collaboration with the federal government and the private sector has helped state chief information officers improve security, said Patrick O'Donnell, task force co-chairman and the Nebraska Legislature's clerk. "I think [we're] better prepared today than in fall 2001," he said, though he noted that no system can be 100 percent secure.

Tuesday's report also noted that since 2001, several states have passed laws to combat driver's license counterfeiting. Although state-issued licenses have become, in essence, de facto national identification cards, Moore said NCSL doesn't support that tag. But legislatures are willing to impose certain standards nationwide that will make them less vulnerable to counterfeits, Moore said. Currently seven states — California, Colorado, Florida, Georgia, Hawaii, Texas and West Virginia — collect fingerprints when individuals apply for a license, but only Georgia uses fingerprint scans to certify an applicant's identity when issuing a replacement license.

West Virginia is the only state to use facial recognition software to verify applicants' identities when they renew or replace their licenses, although Colorado is considering a similar system. "It's a trend we're going to see continuing," Moore said.

Tuesday's report is the second from the legislative group's Task Force on Democracy. Last year, it issued a report with guidelines for state policymakers to assess their homeland security, public health and emergency response readiness.